With data privacy becoming increasingly crucial, organisations are under significant pressure to handle customer data responsibly.
One vital but often overlooked aspect of data protection is the handling and response to Subject Access Requests (SARs).
Data Subject Access Requests (DSARs) allow individuals to access personal information held by organisations.
Handling these requests can be intricate. Organisations must carefully navigate data protection regulations, such as the General Data Protection Regulation (GDPR), to ensure compliance.
Companies face significant challenges in this area. The Information Commissioner’s Office (ICO) reported receiving over 15,000 subject access complaints last year.
In response, the ICO published new guidance for businesses and employers, highlighting widespread misunderstandings and the underestimation of the importance of timely responses.
Why are organisations struggling so much?
The Problem With Fulfilling DSARs
Completing a DSAR often involves multiple tasks that require the expertise or system access of IT teams.
Unfortunately, IT departments are already overwhelmed.
Adding DSARs to their workload diverts attention from critical security operations and risks delays.
Under GDPR, organisations have one month to respond to a DSAR. Failing to meet this deadline can result in fines of up to 4% of global revenue.
Beyond compliance risks, the financial burden of managing DSARs is increasing. Surveys by privacy experts indicate that 41% estimate the average cost of a DSAR to be between £3,000 and £6,000.
As costs rise, organisations struggle to keep up - risking fines that further strain their resources.
Moreover, businesses must strictly follow GDPR when processing DSARs, including securing the data they handle and protecting sensitive information.
To address these challenges, businesses should ask:
How can we efficiently handle DSAR tasks without overloading our teams?
How can we minimise the costs associated with DSARs?
How can we securely return DSAR data without breaching data protection laws?
Let’s explore the key ICO guidance to help answer these questions.
Authenticating Incoming Subject Access Requests
One primary concern in the DSAR process is verifying the authenticity of the requester. Confirming the identity of individuals making requests is crucial to prevent unauthorised access to personal data.
“To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that: you know the identity of the requester (or the person the request is made on behalf of); and the data you hold relates to the individual in question (e.g. when an individual has similar identifying details to another person).”
Always ask for enough information to confirm that the requester (or the person they are acting for) is the subject of the data.
Implement robust authentication, such as multi-factor authentication or requesting secondary ID verification.
Sending the Requested Data Back to the Subject
Once identity is verified, the next challenge is securely transmitting the data.
Data protection laws require confidentiality and the prevention of unauthorised disclosure.
Organisations must use secure channels when responding to DSARs.
“The security measures you need to take to send information securely as part of a subject access request (SAR) depend on the type of information you’re planning to send and what you think the risk is to the data. As a general rule, if a SAR was made to you by email, then there’s an expectation that you’ll reply by email, too, unless the person says otherwise.”
For SARs made via email - an inherently insecure channel - email encryption is essential.
End-to-end encryption protects data in transit and at rest, helping organisations avoid breaches.
Reducing Costs and Meeting Deadlines
Organisations are struggling to complete the DSAR process efficiently and cost-effectively within the required one-month window.
They need a solution that empowers teams to manage DSARs without heavy IT involvement - one that is secure, compliant, and cost-effective.
This is where secure email solutions are invaluable.
Mailock, our secure email solution, provides end-to-end encryption and multi-factor authentication, enabling organisations to safely transmit data and verify recipients’ identities before access.
Widely used across regulated industries, Mailock is intuitive, cost-saving, and compliant - helping businesses meet DSAR demands without the burden.
Paul, CEO and Founder of Beyond Encryption, is an expert in digital identity, fintech, cybersecurity, and business. He developed Webline, a leading UK comparison engine, and now drives Mailock, Nigel, and AssureScore to help regulated businesses secure customer data.